2 Replies Latest reply on Sep 18, 2014 9:04 AM by zlob

    Agent for sending windows logs to ESM?

    pertis

      Hi

       

      I wonder if there is some kind of agent from McAfee that you can install on windows servers that sends syslogs to ESM server?

      I have tried and used Snare from Intersect before and it worked fine.

       

      Regards Roger

        • 1. Re: Agent for sending windows logs to ESM?
          alexander_h

          Actually there is Agent developed by McAfee that will do the job, furthermore if you are using ePO you will be able to deploy and manage them from there.

          It is really useful, below is an example how you can utilize the agent to collect IIS logs:

          McAfee KnowledgeBase - Nitro Windows Agent and IIS log tailing

          The Agent is using port 8081 you can even send the data encrypted.

           

          The McAfee SIEM Collector is host-based software that can be configured to send events to a McAfee ESM with a Receiver. The SIEM Collector can be configured to send events from the local Windows machine or from remote Windows machines. The following types of events can be sent to the Receiver using the SIEM Collector:

           

          ·Windows Event Logs

           

           

          ·Syslog from a file

           

           

          ·Microsoft System Center Operations Manager

           

           

          ·Microsoft SQL Server C2 Audit Logs

           

           

          ·Kaspersky Events

           

           

          ·Events from a Microsoft SQL or Oracle Database

           

          Following is a diagram of this process:

          Click to enlarge image.

          embim1  The SIEM collector runs on both 32- and 64-bit architecture.

          • 2. Re: Agent for sending windows logs to ESM?
            zlob

            About Windows Event Logs - default only SYSTEM, SECURITY, APPLICATION. If you need something else - sorry, how I know?

            Use SNARE (now I am on free version) in SIEM have 2 rules for SNARE in Windows